Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Not able to connect to internet from qemu virtual machine
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Fri Jan 26, 2018 6:07 am    Post subject: Not able to connect to internet from qemu virtual machine Reply with quote

I have Windows 10 guest setup on my gentoo host installation with below configuration
Code:

<domain type='kvm'>
  <name>ame=windows10</name>
  <uuid>a2fa43c9-fa02-4a43-8668-172de1cd9bce</uuid>
  <memory unit='KiB'>8388608</memory>
  <currentMemory unit='KiB'>8388608</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-2.10'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/mnt/share/vms/vir-mgr-images/vms-win10'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/mnt/share/isos/Win10_1709_English_x64.iso'/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/mnt/share/isos/virtio-win-0.1.141.iso'/>
      <target dev='hdb' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='1'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:54:88:16'/>
      <source bridge='br0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes' listen='0.0.0.0'>
      <listen type='address' address='0.0.0.0'/>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='1'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </memballoon>
  </devices>
</domain>



I have network bridge setup on my gentoo host with below configuration

Code:
bridge_br0="enp3s0"

#config_br0="dhcp"
modules="!dhcpcd !udhcpc"

config_br0="192.168.0.11 netmask 255.255.255.0 brd 192.168.0.255"
routes_br0="default via 192.168.0.1"
dns_servers_br0="8.8.8.8 8.8.4.4"
#dns_servers_br0="8.8.8.8 8.8.4.4"

bridge_forward_delay_br0=0
bridge_hello_time_br0=1000


I am able to access internet from my host.

From guest I was earlier able to access the internet but recently I installed docker and that seems to have broken something on my machine. I tried uninstalling docker but problem persist.

My network configuration is as below


Code:
sunils@sunils-pc ~ $ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 0e:16:f3:74:48:46 brd ff:ff:ff:ff:ff:ff
3: eql: <MASTER> mtu 576 qdisc noop state DOWN group default qlen 5
    link/slip
4: enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 9c:5c:8e:bb:77:90 brd ff:ff:ff:ff:ff:ff
5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
       valid_lft forever preferred_lft forever
6: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
8: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
9: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.11/24 brd 192.168.0.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
       valid_lft forever preferred_lft forever
10: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:4f:4b:5f brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
11: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:4f:4b:5f brd ff:ff:ff:ff:ff:ff
32: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:85:53:8c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe85:538c/64 scope link
       valid_lft forever preferred_lft forever



Below is the screenshot the network configuration in windows 10
https://cdn.pbrd.co/images/H4FwoPd.png


For some reason windows picks up the subnet mask 255.255.0.0 I am exactly not sure from where it picks it up from.

I have already wasted one week on trying to find the solution. Can someone please help me regarding this

Please note that,

when I setup the ip configuration manually I am able to ping to my host and dns ip addresses but network resolution fails if I try pinging google.com

Below is the manual ip configuration
IP : 192.168.0.10
Subnet Mask: 255.255.255.0
Gateway: 192.168.0.1
DNS: 8.8.8.8, 8.8.4.4

Ping test from Windows 10 guest

https://i.stack.imgur.com/0oIAy.png[/url]


Last edited by spsarolkar on Fri Jan 26, 2018 6:56 am; edited 1 time in total
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Fri Jan 26, 2018 6:47 am    Post subject: Reply with quote

Hi,

first; please use code tags next time.
second: do you have ip forwarding enabled on the host?

you should check this with
Code:

cat /proc/sys/net/ipv4/ip_forward


It should show up "1" as result, otherwise its not enabled.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Fri Jan 26, 2018 6:52 am    Post subject: Reply with quote

Hi bbgermany,

Sorry just getting used to the editor, will surely mark the configuration in the code tags henceforth,

The ip_forward returns 1 please check it below

Code:
sunils@sunils-pc ~ $ cat /proc/sys/net/ipv4/ip_forward
1
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Fri Jan 26, 2018 10:05 am    Post subject: Reply with quote

You should have a look at the interfaces 10,11 and 32 on your list. Maybe these are interferring with the config for your guest.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Fri Jan 26, 2018 10:24 am    Post subject: Reply with quote

HI bb,

I tried deleting these interfaces, but no impact.

I even tried removing virtio alltogether and use simple qemu command to launch the vm

Code:
qemu-system-x86_64 --enable-kvm -cpu host -smp cores=4,threads=1 -boot d -cdrom ../virtio-win-0.1.141.iso -vga qxl -m 10G -drive file=./win10.img,format=qcow2 -machine type=pc,accel=kvm -net nic -net bridge,br=br0 -usbdevice tablet -device virtio-serial-pci -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent -smb /mnt/share/


New intefaces look like below

Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 0e:16:f3:74:48:46 brd ff:ff:ff:ff:ff:ff
3: eql: <MASTER> mtu 576 qdisc noop state DOWN group default qlen 5
    link/slip
4: enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 9c:5c:8e:bb:77:90 brd ff:ff:ff:ff:ff:ff
5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
       valid_lft forever preferred_lft forever
6: ip6_vti0@NONE: <NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
8: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
9: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9c:5c:8e:bc:3a:e0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.11/24 brd 192.168.0.255 scope global br0
       valid_lft forever preferred_lft forever
    inet6 fe80::9e5c:8eff:febc:3ae0/64 scope link
       valid_lft forever preferred_lft forever
44: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN group default qlen 1000
    link/ether fe:e3:3d:7a:65:99 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fce3:3dff:fe7a:6599/64 scope link
       valid_lft forever preferred_lft forever



in above tap0 is the interface autogenerated by qemu.

But I still get same damm issue. I tried reinstalling windows multiple times on seperate images I keep getting exact same default ip assigned with 255.255.0.0. subnet mask and even if I change the subnet mask to my router, I can succesfully ping to host, google dns servers , google ip addresses but dns resolution fails for google.com.

I get a feeling the issue is somewhere else in the os and not in the virtual machine network configuration.

Everything[/url] was working fine initially but few days back I installed the docker that seems to have broken things, but now even I uninstalled docker things are not getting normal.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Fri Jan 26, 2018 10:28 am    Post subject: Reply with quote

The IP you see is an APIPA address which you get, if no dhcp server answers requests. Do you have a working dhcp server in your network?

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Fri Jan 26, 2018 10:44 am    Post subject: Reply with quote

bbgermany wrote:
Do you have a working dhcp server in your network?


Currently there is no local dns server, but I can see the google dns servers can be pinged from Windows guest.

Last time I installed the dns server it interfered with my static ip address assigned by netifrc. Thats why its dhcp disabled in the /etc/conf.d/net. But I uninstalled it after that
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Fri Jan 26, 2018 10:49 am    Post subject: Reply with quote

Not DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol). These are two different systems. The only point in commen is, that the dhcp server can provide a dns server entry for your ip configuration.

What does "nslookup www.google.com" gives you on your windows guest, when you setup a static ip address on the windows system?

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Fri Jan 26, 2018 10:59 am    Post subject: Reply with quote

bbgermany wrote:
What does "nslookup www.google.com" gives you on your windows guest, when you setup a static ip address on the windows system?

Here is the output https://cdn.pbrd.co/images/H4Hrtz5.png

Regarding DHCP server I seem to have dnsmasq installed. But I never knew it was there. Are you talking about the same?


I have DHCP server on router running at 192.168.0.1. thats the gateway I mentioned
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Sat Jan 27, 2018 3:05 pm    Post subject: Reply with quote

I finally found some clues, when I flush iptables everything works like a charm

There is some rule in my ip tables which is blocking the local traffic, I am very new to iptables so not able to identify which rule is causing the issue, below is the dump of all the rules


Code:
sunils@sunils-pc /var/log/samba $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
INPUT_direct  all  --  anywhere             anywhere           
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere           
INPUT_ZONES  all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
FORWARD_direct  all  --  anywhere             anywhere           
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere           
FORWARD_IN_ZONES  all  --  anywhere             anywhere           
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere           
FORWARD_OUT_ZONES  all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (1 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere           
FWDI_public_deny  all  --  anywhere             anywhere           
FWDI_public_allow  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (1 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere           
FWDO_public_deny  all  --  anywhere             anywhere           
FWDO_public_allow  all  --  anywhere             anywhere           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (1 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere           
IN_public_deny  all  --  anywhere             anywhere           
IN_public_allow  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination 


Can someone please help me which rule I should be adding to allow the internet connection via bridge from guest.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13496

PostPosted: Sat Jan 27, 2018 11:25 pm    Post subject: Reply with quote

Actually, that is not a dump of all rules. That is only a dump of the filter table. There are other tables, notably nat and mangle. Generally, if you need help with a netfilter problem, you should post the output of iptables-save -c, not the output of iptables -L. The latter defaults to hiding information that may be useful to us.
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Sun Jan 28, 2018 2:32 am    Post subject: Reply with quote

Hu wrote:
you should post the output of iptables-save -c, not the output of iptables -L. The latter defaults to hiding information that may be useful to us.


Please find it below

Code:
sunils@sunils-pc ~ $ sudo rc-service iptables restart
 * Loading iptables state and starting firewall ...                                                          [ ok ]
sunils@sunils-pc ~ $ sudo iptables-save -c
# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018
*nat
:PREROUTING ACCEPT [354:89200]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [30:4729]
:POSTROUTING ACCEPT [30:4729]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[293069:88502969] -A PREROUTING -j PREROUTING_direct
[293069:88502969] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[293069:88502969] -A PREROUTING -j PREROUTING_ZONES
[32338:5203134] -A OUTPUT -j OUTPUT_direct
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
[0:0] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
[32358:5204222] -A POSTROUTING -j POSTROUTING_direct
[32358:5204222] -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
[32358:5204222] -A POSTROUTING -j POSTROUTING_ZONES
[0:0] -A POSTROUTING -o enp3s0 -j MASQUERADE
[32358:5204222] -A POSTROUTING_ZONES -g POST_public
[32358:5204222] -A POST_public -j POST_public_log
[32358:5204222] -A POST_public -j POST_public_deny
[32358:5204222] -A POST_public -j POST_public_allow
[293069:88502969] -A PREROUTING_ZONES -g PRE_public
[293069:88502969] -A PRE_public -j PRE_public_log
[293069:88502969] -A PRE_public -j PRE_public_deny
[293069:88502969] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jan 28 08:04:50 2018
# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018
*mangle
:PREROUTING ACCEPT [6662821:18584686283]
:INPUT ACCEPT [6413110:18501564014]
:FORWARD ACCEPT [63327:8973327]
:OUTPUT ACCEPT [4312399:10283978911]
:POSTROUTING ACCEPT [4313819:10284216935]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[6662821:18584686283] -A PREROUTING -j PREROUTING_direct
[6662821:18584686283] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[6662821:18584686283] -A PREROUTING -j PREROUTING_ZONES
[6413110:18501564014] -A INPUT -j INPUT_direct
[63327:8973327] -A FORWARD -j FORWARD_direct
[4312399:10283978911] -A OUTPUT -j OUTPUT_direct
[4313819:10284216935] -A POSTROUTING -j POSTROUTING_direct
[6662821:18584686283] -A PREROUTING_ZONES -g PRE_public
[6662821:18584686283] -A PRE_public -j PRE_public_log
[6662821:18584686283] -A PRE_public -j PRE_public_deny
[6662821:18584686283] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sun Jan 28 08:04:50 2018
# Generated by iptables-save v1.4.21 on Sun Jan 28 08:04:50 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [230:37454]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
[6368283:18495942558] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[53:3180] -A INPUT -i lo -j ACCEPT
[44774:5618276] -A INPUT -j INPUT_direct
[44774:5618276] -A INPUT -j INPUT_ZONES_SOURCE
[44774:5618276] -A INPUT -j INPUT_ZONES
[16:640] -A INPUT -m conntrack --ctstate INVALID -j DROP
[44753:5617328] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
[72:4304] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i lo -j ACCEPT
[63255:8969023] -A FORWARD -j FORWARD_direct
[63255:8969023] -A FORWARD -j FORWARD_IN_ZONES_SOURCE
[63255:8969023] -A FORWARD -j FORWARD_IN_ZONES
[63231:8967807] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
[63231:8967807] -A FORWARD -j FORWARD_OUT_ZONES
[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP
[63231:8967807] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i enp3s0 -o br0 -j ACCEPT
[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
[4312399:10283978911] -A OUTPUT -j OUTPUT_direct
[63255:8969023] -A FORWARD_IN_ZONES -g FWDI_public
[63231:8967807] -A FORWARD_OUT_ZONES -g FWDO_public
[63255:8969023] -A FWDI_public -j FWDI_public_log
[63255:8969023] -A FWDI_public -j FWDI_public_deny
[63255:8969023] -A FWDI_public -j FWDI_public_allow
[24:1216] -A FWDI_public -p icmp -j ACCEPT
[63231:8967807] -A FWDO_public -j FWDO_public_log
[63231:8967807] -A FWDO_public -j FWDO_public_deny
[63231:8967807] -A FWDO_public -j FWDO_public_allow
[44774:5618276] -A INPUT_ZONES -g IN_public
[44774:5618276] -A IN_public -j IN_public_log
[44774:5618276] -A IN_public -j IN_public_deny
[44774:5618276] -A IN_public -j IN_public_allow
[3:180] -A IN_public -p icmp -j ACCEPT
[2:128] -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sun Jan 28 08:04:50 2018
sunils@sunils-pc ~ $
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Mon Jan 29, 2018 7:58 am    Post subject: Reply with quote

Hi,

it looks (according to the iptables output), there are still docker firewall rules left (like FWDO <- sound like FireWallDockerOut) installed. Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually?

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
spsarolkar
n00b
n00b


Joined: 26 Jan 2018
Posts: 17

PostPosted: Mon Jan 29, 2018 10:40 am    Post subject: Reply with quote

bbgermany wrote:
Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually?


Of course not, I am new to iptables and did not yet setup any rules apart from those mentioned on qemu gentoo wiki https://wiki.gentoo.org/wiki/QEMU

Below are the rules that I did fired in the hope of making things work, but it didn't

root #iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
root #iptables -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root #iptables -A FORWARD -i enp3s0 -o br0 -j ACCEPT

Can you please help me which commands should I run to remove the unrelavent rules or add any addon rules to allow traffic in local network? ...because when all iptables rules are on, I am not able to access my samba share as well as VNC server even from local network
_________________
SunilS
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Mon Jan 29, 2018 3:36 pm    Post subject: Reply with quote

spsarolkar wrote:
bbgermany wrote:
Maybe these are preventing your access to the internet from your qemu vm or did you set these rules manually?


Of course not, I am new to iptables and did not yet setup any rules apart from those mentioned on qemu gentoo wiki https://wiki.gentoo.org/wiki/QEMU

Below are the rules that I did fired in the hope of making things work, but it didn't

root #iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
root #iptables -A FORWARD -i br0 -o enp3s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
root #iptables -A FORWARD -i enp3s0 -o br0 -j ACCEPT

Can you please help me which commands should I run to remove the unrelavent rules or add any addon rules to allow traffic in local network? ...because when all iptables rules are on, I am not able to access my samba share as well as VNC server even from local network


since you are running a bridged configuration, you wont even need those for access from your guest. the host and guest share the same subnet.

the init script of iptables save the rules to /var/lib/iptables/rules-save. you could try moving the file to another location and restart the iptables service (if you dont need a firewall at all).

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13496

PostPosted: Tue Jan 30, 2018 4:42 am    Post subject: Reply with quote

That table is a mess. I think I see an explanation for your specific problem (assuming your kernel is also configured to apply netfilter to bridges - this is optional, so not everyone does). However, I think you need to review the whole setup.
  • You have many rules that reference virbr0, but the VM is not joined to virbr0. It is joined to br0. Therefore, rules that specify virbr0 fail to match traffic involving this VM.
  • You bridged your physical NIC, but your netfilter rules still try to refer to it by name. These rules will fail to match, since traffic on a bridge uses the bridge name (but if you need to match on a specific physical interface, --physdev can be used).
  • You have a catch-all reject rule in the FORWARD chain above other rules. Fortunately, those rules can never match anything anyway, so failing to reach them has no adverse impact here.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum